'Guccifer' Hacker Sentenced to 52 Months

A 44-year-old former Romanian taxi driver with few hacking skills but a knack for guessing his way into the email and social media accounts of celebrities and politicians has been sentenced to serve 52 months in U.S. federal prison.

Marcel Lehel Lazar, who went by the online nickname "Guccifer," pleaded guilty May 25 in U.S. District Court for the Eastern District of Virginia to aggravated identity theft and unauthorized access to a computer.

Lazar's escapades drew attention to the vulnerability of web-based email accounts through low-tech attack methods. He targeted Gmail, Yahoo, Facebook and AOL accounts used by nearly 100 prominent people, gaining access through weak passwords and then accessing their correspondence.

Among the victims were former Secretary of State Colin Powell and the sister of former President George W. Bush. Lehel released emails and sensitive information from accounts, and in the case of Bush, photographs of self-portraits he'd painted, including one of himself in the bathtub.

Lazar also revealed that Democratic presidential nominee Hillary Clinton used a private email address while secretary of state, fueling a continuing email scandal that plagues her campaign.

Repeat Offender

U.S. prosecutors indicted Lazar in June 2014 just after he was sentenced to four years in Romania for similar offenses. His targets in that country included the former director of Romania's intelligence service, George Cristian Maior.

He was released early to face the U.S. charges and was extradited in April of this year. The U.S. indictment covers Lazar's activity between October 2012 and January 2014. Lazar released information from compromised accounts, including medical and financial information, prosecutors say.

Lazar caused a stir when he spoke to NBC News from a maximum security prison in Bucharest prior to his extradition. In the interview, broadcast in May following his extradition, he made an unsubstantiated claim that he accessed Clinton's private email server and downloaded some material.

Lazar told the broadcaster: "It was like an open orchid on the internet, as many such servers are. There were hundreds of folders with boring stuff, political boring stuff. It was not what I was looking for." The claim was called into question because, unlike other accounts he breached, Lazar didn't release material from Clinton's server.

He said he discovered Clinton's private email address, hdr22@clintonemail.com, after compromising the email account of Sidney Blumenthal, a longtime adviser to the Clinton family. Lazar, who denied working for a foreign government, passed emails to the Smoking Gun website and Russian state-sponsored broadcaster RT.

Lazar, whose nickname is a portmanteau of Gucci and Lucifer, said during the interview he executed the compromises with a cheap computer and a mobile phone. His intrusions, he said, were intended to expose the Illuminati.

Even if his claim of downloading Clinton material was a fib, it caused even more trouble for the U.S. presidential candidate as she defended the use of a private email server for government business.

Followed by Guccifer 2.0

Guccifer's notoriety prompted another hacker to borrow his moniker this year. In June, someone going by the nickname "Guccifer 2.0" claimed to be the sole hacker who breached the Democratic National Committee's systems. Like the original Guccifer, the successor also released sensitive documents (see Lone Hacker Claims to Have Breached DNC).

Guccifer 2.0 claimed to be Romanian, but the person didn't speak Romanian that well, according to the news site Motherboard. The U.S. government and private security companies suspect Russian intelligence may be behind the Democratic Party hacks, but the country has denied involvement (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).

Password Management Lessons Learned

Although the authentication weaknesses of web-based systems are well known within computer security circles, Lazar's demonstrations from rural Romania brought those faults widespread attention.

It would be nearly impossible these days to be a digital citizen without using web-based servers that authenticate through logins and passwords. The usual mitigation advice continues to apply: Use a strong, unique password and implement two-factor authentication, preferably not over SMS.

Some web services, such as Dropbox and Facebook, can send alerts of a successful login from a never-seen-before device. Sometimes those alerts aren't on by default, though, and need to be activated.

It's also helpful to use a password manager, which makes it feasible to set a unique strong password for many web accounts without having to remember many of them. Most of those applications have password generators, which makes creating strong ones painless.

Of course, that advice applies not just to celebrities and politicians who may be targeted by future Guccifers, but to any internet user.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.